Referrer-Policy header
The HTTP Referrer-Policy {{Glossary("response header")}} controls how much referrer information (sent with the {{HTTPHeader("Referer")}} header) should be included with requests.
Aside from the HTTP header, you can set this policy in HTML.
| Header type | `{{Glossary("Response header")}}` |
|---|
Syntax
Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade
Referrer-Policy: origin
Referrer-Policy: origin-when-cross-origin
Referrer-Policy: same-origin
Referrer-Policy: strict-origin
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: unsafe-url
[!NOTE] The header name
{{HTTPHeader("Referer")}}is a misspelling of the word “referrer”. TheReferrer-Policyheader does not share this misspelling.
Directives
-
no-referrer- : The
{{HTTPHeader("Referer")}}header will be omitted: sent requests do not include any referrer information.
- : The
-
no-referrer-when-downgrade- : Send the
{{glossary("origin")}}, path, and query string in{{HTTPHeader("Referer")}}when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don’t send the{{HTTPHeader("Referer")}}header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
- : Send the
-
origin- : Send only the
{{glossary("origin")}}in the{{HTTPHeader("Referer")}}header. For example, a document athttps://example.com/page.htmlwill send the referrerhttps://example.com/.
- : Send only the
-
origin-when-cross-origin- : When performing a
{{glossary("Same-origin_policy", "same-origin")}}request, send the{{glossary("origin")}}, path, and query string. Send only the origin for cross origin requests and requests to less secure destinations (HTTPS→HTTP).
- : When performing a
-
same-origin- : Send the
{{glossary("origin")}}, path, and query string for{{glossary("Same-origin_policy", "same-origin")}}requests. Don’t send the{{HTTPHeader("Referer")}}header for cross-origin requests.
- : Send the
-
strict-origin- : Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don’t send the
{{HTTPHeader("Referer")}}header to less secure destinations (HTTPS→HTTP).
- : Send only the origin when the protocol security level stays the same (HTTPS→HTTPS). Don’t send the
-
strict-origin-when-cross-origin(default)-
: Send the origin, path, and query string when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don’t send the
{{HTTPHeader("Referer")}}header to less secure destinations (HTTPS→HTTP).[!NOTE] This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was
no-referrer-when-downgrade.
-
-
unsafe-url-
: Send the origin, path, and query string when performing any request, regardless of security.
[!WARNING] This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.
-
Integration with HTML
You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a {{HTMLElement("meta")}} element with a name of referrer:
<meta name="referrer" content="origin" />
You can specify the referrerpolicy attribute on {{HTMLElement("a")}} , {{HTMLElement("area")}} , {{HTMLElement("img")}} , {{HTMLElement("iframe")}} , {{HTMLElement("script")}} , or {{HTMLElement("link")}} elements to set referrer policies for individual requests:
<a href="http://example.com" referrerpolicy="origin">…</a>
Alternatively, you can set a noreferrer link relation on an a, area, or link elements:
<a href="http://example.com" rel="noreferrer">…</a>
[!WARNING] As seen above, the
noreferrerlink relation is written without a dash. When you specify the referrer policy for the entire document with a{{HTMLElement("meta")}}element, it should be written with a dash:<meta name="referrer" content="no-referrer">.
Integration with CSS
CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:
- External CSS stylesheets use the default policy (
strict-origin-when-cross-origin), unless it’s overwritten by aReferrer-PolicyHTTP header on the CSS stylesheet’s response. - For
{{HTMLElement("style")}}elements orstyleattributes, the owner document’s referrer policy is used.
Examples
no-referrer
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
anywhere | (no referrer) |
no-referrer-when-downgrade
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
https://example.com/otherpage |
https://example.com/page |
https://example.com/page |
https://mozilla.org |
https://example.com/page |
https://example.com/page |
http://example.com | (no referrer) |
| http://example.com/page | anywhere | http://example.com/page |
origin
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
anywhere | https://example.com/ |
origin-when-cross-origin
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
https://example.com/otherpage |
https://example.com/page |
https://example.com/page |
https://mozilla.org |
https://example.com/ |
https://example.com/page |
http://example.com/page | https://example.com/ |
same-origin
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
https://example.com/otherpage |
https://example.com/page |
https://example.com/page |
https://mozilla.org |
(no referrer) |
strict-origin
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
https://mozilla.org |
https://example.com/ |
https://example.com/page |
http://example.com | (no referrer) |
| http://example.com/page | anywhere | http://example.com/ |
strict-origin-when-cross-origin
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page |
https://example.com/otherpage |
https://example.com/page |
https://example.com/page |
https://mozilla.org |
https://example.com/ |
https://example.com/page |
http://example.com | (no referrer) |
unsafe-url
| From document | Navigation to | Referrer used |
|---|---|---|
https://example.com/page?q=123 |
anywhere | https://example.com/page?q=123 |
Specify a fallback policy
If you want to specify a fallback policy in case the desired policy hasn’t got wide enough browser support, use a comma-separated list with the desired policy specified last:
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
In the above scenario, no-referrer is used only if the browser does not support the strict-origin-when-cross-origin policy.
[!NOTE] Specifying multiple values is only supported in the
Referrer-PolicyHTTP header, and not in thereferrerpolicyattribute.
Browser-specific preferences/settings
Firefox preferences
You can configure the default referrer policy in Firefox preferences. The preference names are version specific:
- Firefox version 59 and later:
network.http.referer.defaultPolicy(andnetwork.http.referer.defaultPolicy.pbmodefor private networks) - Firefox versions 53 to 58:
network.http.referer.userControlPolicy
All of these settings take the same set of values: 0 = no-referrer, 1 = same-origin, 2 = strict-origin-when-cross-origin, 3 = no-referrer-when-downgrade.
Specifications
{{Specifications}}
Browser compatibility
{{Compat}}
See also
- Web security > Referer header: privacy and security concerns
- When using Fetch:
{{domxref("Request.referrerPolicy")}} - Same-origin policy
- HTTP referer on Wikipedia
- Tighter Control Over Your Referrers – Mozilla Security Blog